Skeleton Keys in the Expense Report: The Calero VeraSMART RCE

Vulnerability ID: CVE-2026-26335
CVSS Score: 9.3
Published: 2026-02-13

A critical failure in cryptographic key management within Calero VeraSMART allows unauthenticated attackers to achieve Remote Code Execution (RCE) via ASP.NET ViewState deserialization. By shipping identical machineKey values in the web.config across all installations, the vendor essentially provided a master key to every instance of the software.

TL;DR

Calero VeraSMART < 2022 R1 uses hardcoded ASP.NET machine keys. Attackers can use these static keys to sign malicious ViewState payloads, triggering server-side deserialization and arbitrary code execution.

⚠️ Exploit Status: POC

Technical Details

• CWE ID: CWE-321 (Hard-coded Cryptographic Key)
• CVSS 4.0: 9.3 (Critical)
• Attack Vector: Network (Remote)
• Impact: Remote Code Execution (RCE)
• Exploit Status: PoC Available / Active in Wild
• EPSS Score: 0.08% (Rising)

Affected Systems

• Calero VeraSMART < 2022 R1
• VeraSMART: < 2022 R1 (Fixed in: 2022 R1)

Exploit Details

• GitHub: Python-based PoC generating signed ViewState payloads using static keys.

Mitigation Strategies

• Upgrade to VeraSMART 2022 R1 or later immediately.
• Manually rotate ASP.NET machineKeys in web.config if patching is delayed.
• Restrict network access to the VeraSMART web interface.

Remediation Steps:

1. Identify the installation directory (typically C:\Program Files (x86)\Veramark\VeraSMART\WebRoot).
2. Backup the existing web.config file.
3. Generate new 64-byte validationKey and 32-byte decryptionKey hex strings.
4. Replace the entry in web.config with the new values.
5. Restart the IIS World Wide Web Publishing Service.

References

• NVD Entry
• OffSeq Threat Radar

Read the full report for CVE-2026-26335 on our website for more details including interactive diagrams and full exploit analysis.